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Abstract 

The multiparty key exchange introduced in Steiner et al. and presented 
in more general form by the authors is known to be secure against passive 
attacks. In this paper, an active attack is presented assuming malicious 
control of the communications of the last two users for the duration of 
only the key exchange. 


1 Introduction 

The increased use of light and mobile devices has led to the study of the so called 
mobile ad hoc networks. These are created, operated and managed by the nodes 
themselves and therefore are solely dependent upon the cooperative and trusting 
nature of the nodes. The ad hoc property of these mobile networks implies that 
the network is formed in an unplanned manner to meet an immediate demand 
and specific goal, and that the nodes are continuously joining or leaving the 
network. Thus, key management in this type of networks is a very important 
issue and has been the aim of numerous works since then (see [1] or and their 
references). 

One of the most widely known such schemes is due to Steiner et al. and 
is known as Cliques (cf. [1]). Cliques is a multiparty key exchange protocol 
generalizing the Diffie-Hellman key exchange based on the discrete logarithm 
problem. It is composed of an initial key agreement (IKA) to set up a first 
common key and an auxiliary key agreement (AKA) in order to refresh the key 
at any later stage. 

In [3], the authors propose a systematic way for analyzing protocol suites 
which extend the Diffie-Hellman key-exchange scheme to a group setting. They 
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find interesting attacks which exploit algebraic properties of DifHe-Hellman ex¬ 
ponentiation. However, our attack uses a different approach that exploits a 
weakness of a specific protocol and allows for prolonged eavesdropping. 

We will consider in particular one of the proposed initial key agreements 
referred to (in a) as IKA.2. The authors generalize these schemes in [5], con¬ 
sidering a general action on a semigroup, and this is how IKA.2 is presented 
below. 

We will then show an active attack on this protocol that requires control 
of the communications of two particular parties for only the duration of the 
key exchange. That is, unlike in a regular man-in-the-middle attack, it is not 
necessary for the attacker to control the communications after the key exchange 
in order to translate messages, since all users are made to agree on the same 
key. 

Although it is not possible for the attacker to keep a copy of the key after 
the users initiate AKA operations, we will show how she can avoid being noticed 
at that point. 

2 An Initial Key Agreement protocol 

The protocol below gives n users the possibility to share an initial common key 
built using their private keys. A proof of its correctness and security against 
passive attacks can be found in na, assuming the Diffie-Hellman problem is 
hard for the given group action. 

Suppose we have n users Ui,... ,Un who wish to agree upon a common key. 

Let G be an abelian group, written multiplicatively. Let 5* be a set, and 
suppose we have a group action 


GxS-^S 
{g,s) ^ g-s. 

The users publicly agree on a common element Cq = s S 5, and for each 
i = 1,... ,n, the user Ui selects a secret group element gi G G. 

The protocol proceeds as follows: 

(1) For i = 1,..., n — 2, Ui sends to Ui+i the message Ci = gi ■ Gi-\. 

(2) Un-\ broadcasts Cn-i = g-a-i ■ C'n -2 to the other users Wi,... ,Un- 2 Mn- 

(3) Un computes the shared key K = gn ■ Gn-i- 

(4) For i = 1,..., n — 1, Ui sends Di = g~^ ■ Cn-i to Un. 

(5) Un broadcasts ? gn * G )2 , • ■ • ^ gn * ^n—l 5 Gn— 1 } to Ui , t — l,...,7r 1. 

(6) For i = 1,... ,n — 1, Ui computes the shared key K = gi ■ {gn ■ Di). 
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It is easy to see that for i = 1,..., n — 1, we have that 

( fl 

j=^i 

ijlo)-- 

^i=i ^ 

From the above, we can also observe that Cn-i is not needed by any user 
to recover the session key K. However, this information is disclosed for future 
rekeying purposes, as we will see later. 

Example 1. Let be a hnite field. Let us consider an element g of prime order 
p, generating the subgroup S' C F*. Then the action $: Z* x S —>■ S defined 
by d)(a:, h) = provides the Initial Key Agreement protocol introduced in [H 
Section 4.2] as IKA.2. 

Example 2. Let us denote by e the group of points of an elliptic curve of 
prime order p. Then the action $: Z* x e —)• e defined by $(x,P) = xP gives 
an elliptic curve version of IKA.2 cited above. 


and finally 


C, = 


D, = 


K = C^ = 


3 An active attack on the Initial Key Agreement 

We describe an active attack on the protocol of the preceding section. Suppose 
that the attacker A4 wants the users Ui,... ,Un to agree on a shared key as 
usual, except that she is in possession of the key as well. 

In order to carry out our attack, M needs to have full control over the 
communication of the users Un-i and Un for the duration of the key exchange. 
However, unlike in a regular man-in-the-middle attack, she does not need to 
maintain this control after the key exchange is completed. 

In the beginning, Ai chooses her own secret group element g G G. She then 
proceeds as follows: 

(a) Step (1) is carried out as usual. 

(b) M intercepts the broadcast of Un-i during step (2) and remembers the 
value Cn-i- At this point, all users except for Un-i are sitting in step (2), 
waiting for the broadcast that was halted. 

(c) hin-i proceeds to step (4), where he sends g~]_i ■ Cn-i = Cn -2 to W„. This 
is also intercepted by A4. Un-i is now waiting in step (5). 
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(d) A4 now makes believe that he received the broadcast of step (2), but 
actually sends him g ■ Cn-i- At this point, Un computes the shared key 
K = Qng ■ Cn -1 and waits in step (4). 

(e) A4 now sends to Un the values {mi ,..., mns, Cn- 2 , Cn-i}, pretending that 
they were sent by the other users in step (4). The are random elements 
of the orbit G ■ s. 

(f) In step (5), Un sends back, among others, the values •C'n -2 and gn-Cn-i, 
which A4 intercepts. The user Un is now finished, and A4 can compute the 
shared key K = ggn ■ Cn-i- 

(g) Until now, Ui,... ,Un -2 have been waiting for the broadcast in step (2), 
which A4 now provides in the form of gn ■ Cn-i- 

(h) Ui, i = 1... ,n — 2, go to step (4) and send back g~^gn ■ Cn-i, which A4 
intercepts. 

(i) In step (5), A4 broadcasts to Ui, i = 1... ,n — 2, the message 



User Un-i is sent the same message, but the last element, <?„ • C„_i is 
substituted by Cn-i. 

(j) The users Ui,... ,Un -2 now all compute the shared secret K = gigg{{^gn ■ 


Let us make some comments on the attack introduced above. First, we can 
observe that at the end of this procedure, all users as well as the attacker share 
the same key 



Any passive observer will still be unable to determine the key, for the same 
reason that the original protocol is secure against passive attacks, cf. [H The¬ 
orem 2.1], whose proof also applies to the general setting given in Section]^ 
whenever the action is transitive and the DifBe-Hellman problem is hard. 

The attacker’s secret g is not strictly required for the attack to work, but 
without it, the users may notice that something is amiss. Namely, in step (e), 
if we leave out g, the user Un may notice that A4 sent the same value Cn-i as 
in step (d). Similarly, in step (i), the other users could notice that the attacker 
just returned their transmission from (h). Using g, however, the users should 
be unable to tell the difference between a regular execution of the protocol and 
the attack, again as a consequence of [H Theorem 2.1]. 

As in the Initial Key Agreement (IKA) protocol introduced in Section [21 the 
broadcast element • Cn-i is added at the end of the message in (i) in view of 
future rekeying operations and is not needed by any of the users Ui,... ,Un -2 
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to recover the shared key. Note that users Ui, i = 1,... ,n — 2, expect that the 
last element of the message sent in step (i) is the one broadcast in step (2) of 
the protocol, which the attacker substitutes precisely by • Cn-i- In the case 
of user h(n-i, who is also expecting the element sent in step (2) of the protocol, 
the element that Ai sends in step (b) is Cn-i- If this is not satisfied, the users 
might notice that something is wrong. 


4 An exit strategy 

After the attack of Section |31 the attacker A4 shares the key with the users 
Ui,,Lin and can listen in on their conversation without any further active 
measures. However, at some point after that, the users may wish to execute an 
AKA operation, which is to say a key refreshment, the addition of a new member 
to the group, etc. as described in [H Section 5]. After this point, the attacker 
can certainly no longer listen to the conversation. Even worse, the values the 
users remember from step (5) of the protocol are substantially different from 
normal, and any key refresh operation will thus fail completely, alerting the 
users about the attack. 

In what follows, we will describe how the attacker can avoid being noticed 
by forging key refresh operations herself, assuming that any user may initiate a 
key refreshment at any time. 

First, we recall the key refresh operation after a regular execution of IKA.2, 
adapted from [H Section 5.6]. Suppose user Uc wishes to initiate a key refresh¬ 
ment. He remembers from step (5) of the key agreement protocol the values 
{El ,..., En}, where Ek = {YVj=i j^k di) ■ s, k = 1,... ,n. He picks a new secret 
g'c& G and broadcasts 

{dc ' 1^1) ■ ■ ■ t9c ' ^c-i, Ec,■ Ec+i,..., g^ ■ En}. 

Now, all users can compute the new key g{ ■ Cn = g'c ■ { 0^=1 9j) ' User Uc 
also replaces his own secret with g^gc^ and everyone replaces the information 
remembered from step (5) with this new broadcast. 

Remark 4.1. One important detail to note is that when Uc initiates the key 
refreshment, the value Ec he sends in position c is unchanged and already known 
to the other users. Hence, if M wishes to forge a key refreshment coming from 
Uc, she has to make sure that each user receives in position c the value he 
previously held there. Otherwise, the attack could be discovered. 

Suppose now that the attacker M has just executed the attack from Sec- 
tion[3] Instead of {Ei,..., En}, the users now remember the following values: 

• For i = 1,... ,n — 2, Ui remembers [g • Ei,..., g ■ En-i, Cn}. 

• Un-i remembers [g ■ Ei,... ,g ■ En-i,En}. 

• Un remembers [gn • m„_ 3 , F„_i, g • A„}. 
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Evidently, if some user tries to initiate a key refreshment with these values, 
the operation will fail. However, A4 can bring the users into a consistent state 
by forging two key refresh operations herself. For this, she needs to still have 
control over the communications of Un-i and l/„, as in the original attack. 

First, A4 picks two new random values / and h € G. Then, she forges a key 
refresh operation by sending the following values to the different users: 

• To Ui, i = 1,... ,n — 2, she sends 

{hg ■ El, hg ■ E 2 ,... ,hg ■ En- 2 ,g- En-i,fhg ■ En}, 


pretending it came from Un-i. 

• ToUn-i, she sends 

{fhg ■ Ei,hg ■ E 2 ,...,hg ■ En- 2 ,hg ■ En-i,En}, 
pretending it came from Un. 

• To Un, she sends 

{fhg ■ Ei,hg- E 2 ,...,hg- En- 2 ,Cn, hgEn}, 
pretending it came from Un-i. 

After this, the users will agree on the shared key hg ■ Cn, which is also known 
to Ad. As remarked above, if a user is made to believe that he received a key 
refreshment from Uc, he must receive in position c the value he already held 
there. 

Now, the values held by the users are still inconsistent, so M has to forge a 
second key refreshment: 

• To Ui, i = 1,... ,n — 2, she sends 

{fhg-Ei,...,fhg-En}, 
pretending it came from Un. 

• ToUn-i and Un, she sends 

{fhg-Ei,...,fhg-En}, 
pretending it came from Ui. 

Now, all users and the attacker agree on the shared key fhg-Cn. Furthermore, all 
users remember the same consistent values for key refreshment. If in the future 
any user initiates a key refreshment or other AKA operation, the attacker will 
lose access to the key, but the operation itself will work out without problem 
and without the users noticing anything wrong. 
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Remark 4.2. An alternative course of action for j\4 is to convert the attack into 
a regular man-in-the-middle attack on Un at the time of the first key refreshment. 
For this, note that given the values each user remembers, a key refreshment 
initiated hy Uc, c < n — 2, works well for all users but The attacker can 
then intercept the broadcast arriving at Un and replace it with random values, 
except that at position n she sends h ■ En for some random h G G, and at 
position c she sends gn ■ rric, which she knows from step (f) of the attack. Then, 
A4 will have the key gg'^ ■ Cn in common with Lii, i < n—l, as well as h ■ Cn with 
Lin- From then on, she can run a regular man-in-the-middle attack. A similar 
attack can be carried out if initiates a key refreshment, but not if does 
so. In this case, the attacker can intercept and apply g to the message for Un 
so that all users agree on a common key without noticing the previous attack. 
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